CVE-2026-45580: WWBN AVideo Stored XSS in Live Plugin Stream Key
WWBN AVideo, an open-source video streaming platform, contains a stored cross-site scripting (XSS) vulnerability in its Live plugin. A user with streaming permissions can inject malicious JavaScript into the stream configuration, which then executes in the browsers of anyone—logged-in or anonymous—who views that live stream. The vulnerability persists because user-controlled input (the stream key) is inserted directly into an HTML class attribute without proper sanitization.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a stored cross-site scripting vulnerability. The Live plugin's "YouTube-style" view renders the live transmission's stream key into an HTML class attribute by raw echo, without htmlspecialchars(). A canStream user can persist a key containing " plus an event handler via plugin/Live/saveLive.php, and any visitor (logged in or anonymous) opening the stream's live page executes attacker JavaScript in the platform origin.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The Live plugin in WWBN AVideo 29.0 and earlier fails to sanitize the stream key before rendering it into an HTML class attribute in the 'YouTube-style' view. An authenticated user with canStream privileges can manipulate the stream key via plugin/Live/saveLive.php to include a quote character followed by an event handler (e.g., " onload="..."). When the live stream page loads, the injected event handler executes in the context of the platform's origin, allowing theft of session cookies, credential harvesting, or malware injection. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation).
Business impact
This vulnerability poses a risk to platform availability and user trust. An attacker with streaming permissions can compromise any visitor to the platform, including administrators. Potential impacts include unauthorized access to user accounts, theft of sensitive data, defacement of the platform, or deployment of malware to users' machines. For organizations running AVideo as a shared or public service, this enables lateral movement within the user base and may violate compliance requirements around data protection and incident reporting.
Affected systems
WWBN AVideo version 29.0 and all earlier versions are affected. The vulnerability is isolated to the Live plugin's YouTube-style view rendering. Systems running patched versions or those that have disabled the Live plugin are not affected. Verify your current AVideo version in the admin dashboard.
Exploitability
Exploitation requires a user account with canStream privileges—typically a content creator or administrator role. The attacker then modifies the stream key through the saveLive.php endpoint. No network-level access, authentication bypass, or user interaction beyond viewing the stream is required for the injected script to execute. The low attack complexity and reliance on relatively common permissions make this moderately exploitable in multi-user environments.
Remediation
Upgrade WWBN AVideo to a patched version that sanitizes stream key output using htmlspecialchars() or equivalent context-aware encoding before rendering into HTML attributes. Until patching is possible, restrict canStream permissions to trusted users only, and consider disabling the YouTube-style view or the Live plugin entirely if not actively used. Implement Content Security Policy headers to mitigate XSS impact.
Patch guidance
Check the official WWBN AVideo repository and security advisories for patched versions released after 2026-06-17. Apply the update to the platform codebase, verify the Live plugin's rendering code includes proper HTML entity encoding for user-controlled attributes, and test the live stream view with sample stream keys containing special characters. Restart the AVideo service after deployment.
Detection guidance
Monitor web server and application logs for POST requests to plugin/Live/saveLive.php containing quote characters, angle brackets, or event handler keywords (onload, onerror, onclick) in the stream key parameter. Use a Web Application Firewall (WAF) to block payloads matching XSS patterns in the Live plugin endpoints. Periodically audit configured stream keys in the database for suspicious characters or event handlers. Check browser console logs on user machines for unexpected script execution during live stream viewing.
Why prioritize this
Although rated MEDIUM severity (CVSS 5.4), this vulnerability should be prioritized because it affects all platform visitors regardless of role, can escalate attacker access through credential theft, and exploits a common user action (viewing a live stream). The requirement for low-level streaming privileges means many organizations may have affected users. Patching is straightforward and should be scheduled promptly.
Risk score, explained
The CVSS 3.1 score of 5.4 (MEDIUM) reflects: low attack complexity and no special privileges required for exploitation beyond basic streaming rights; network-accessible vector; limited direct confidentiality and integrity impact to individual sessions; and no denial-of-service capability. However, the scope is changed (cross-site), and the platform-wide reach elevates practical risk above the numeric score in multi-user deployments.
Frequently asked questions
Do I need to be logged in to be affected by this vulnerability?
No. The injected JavaScript executes for any visitor to the compromised live stream page—both logged-in and anonymous users are vulnerable. However, the attacker must have a platform account with streaming permissions to inject the payload.
Can this vulnerability be exploited without modifying the stream key?
No. The attacker must have canStream privileges and use the saveLive.php endpoint to inject the malicious stream key. General visitors cannot trigger the vulnerability on their own.
What happens if my organization uses AVideo but never enables the Live plugin?
You are not affected by this specific vulnerability. However, verify that the plugin is truly disabled in your configuration and that you are running a current version of AVideo for other potential issues.
Does Content Security Policy alone prevent this attack?
A well-configured CSP can mitigate the impact by blocking inline scripts or restricting script sources, but it is not a substitute for patching. CSP should be layered as a defense-in-depth measure alongside proper input sanitization.
This analysis is provided for informational purposes to help security teams assess and remediate the vulnerability. SEC.co makes no warranty regarding the completeness or accuracy of patch information. Organizations should verify all patch versions and guidance against the official WWBN AVideo security advisories and documentation. The vulnerability status, affected versions, and remediation steps may change as vendor updates are released. Always conduct testing in a non-production environment before deploying patches. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-47694MEDIUMWWBN AVideo Stored XSS in Category Descriptions (CVSS 5.4)
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk
- CVE-2019-25743MEDIUMWordPress Soliloquy Lite 2.5.6 Stored XSS Vulnerability
- CVE-2019-25744MEDIUMWordPress Popup Builder 3.49 Stored XSS Vulnerability – Exploit Prevention & Patch Guide